Formal synthesis of non-fragile state-feedback digital controllers considering performance requirements for step response

This work describes an approach for synthesizing state-feedback controllers for discrete-time systems, taking into account performance aspects. The proposed methodology is based on counterexample-guided inductive synthesis (CEGIS), producing safe controllers based on step response performance requirements, such as settling time and maximum-overshoot. Controller candidates are generated through constrained optimization based on genetic algorithms. Each iteration that does not satisfy the initial system requirements is learned as a failed result and then used in another attempt. During the verification phase, it is considered the controller fragility to ensure deployable implementations. Such an approach assists the discrete-time control system design since weaknesses occur during implementation on digital platforms, where systems that meet design requirements are employed. The proposed method is implemented in DSVerifier, a tool that uses bounded (and unbounded) model checking based on satisfiability modulo theories. Experimental results showed that our approach is practical and sound regarding the synthesis of discrete state-feedback control systems that present performance requirements. It considers finite word-length effects, unlike other methods that routinely ignore them.

• We describe a novel approach for synthesizing open-and closed-loop linear time-invariant systems while considering performance requirements, system fragility, and FWL effects in fixed-point representations of controllers. As a result, this paper is the first to address the problem of designing correct-by-construction controllers, which takes into account performance requirements, encoded in an automated CEGIS-based methodology, which can handle different FWL formats. • Experimental results show that our approach can effectively synthesize settling time and overshoot specifications in control applications suffering from FWL effects. Our results also show the provision of a system model description capable of being integrated into the setup of a GA-based optimization, leading to substantial improvements for synthesizing digital controllers for different FWL formats.
The remainder of this paper is organized as follows. In "Preliminaries" section presents basic concepts of digital dynamic systems, FWL effects in digital systems, and CEGIS, while "Verifying non-fragile performance specification requirements" section shows the verification methodology employed for evaluating digital control systems.
In "Non-fragile synthesis for performance requirements" section describes the proposed method for synthesizing digital controllers, considering FWL effects. In "Experimental evaluation" section, in turn, reports experiments regarding a set of benchmarks and discusses their results. Next, "Related work" section presents a summary of studies related to formal verification and synthesis applied to system controllers. Finally, "Conclusion" section draws our conclusions.

Preliminaries
A system can be seen as a process with inputs and outputs, which is usually simplified to only one input and one output. In particular, a system produces a transformation regarding an input signal x(t), which then generates an output one y(t) that is usually described by a mathematical operator S{·} . Controllers are employed for modifying a system to make it present a given desirable behavior. This section aims to introduce fundamental concepts of digital systems, design problems, and tools necessary for developing a methodology based on CEGIS that can produce correct-by-construction controllers.
Digital dynamic systems. The state-space representation of a single-input single-output (SISO) linear time-invariant (LTI) system controlled by a state feedback controller is described as (1) � : x(k + 1) = Ax(k) + Bu(k), y(k) = Cx(k) + Du(k), u(k) = r(k) − Kx(k), www.nature.com/scientificreports/ where A ∈ R n×n , B ∈ R n×1 , C ∈ R 1×n , and D ∈ R are the state-space realization matrices (A, B, C, D) of , K ∈ R 1×n is a state-feedback controller, u(k) ∈ R is the control signal, y(k) ∈ R is the system's output signal, r(k) ∈ R is a control reference signal, and x(k) ∈ R n is a state vector. Figure 1 illustrates the generic step response of (1), where one may notice the area bounded by L upp and L low , i.e., the settling time region , where a signal remains within p% of its final value y ss , which happens for the first time at k r (reach time) and definitively begins at k s (settling time). Moreover, there exists a maximum overshoot M p occurring at k p . FWL effects in digital systems. Usually, control systems are designed with real valued coefficients. Nonetheless, system parameters and signal variables are implemented with limited word-length through hardware registers 19 , which gives rise to FWL effects due to truncation and round-off errors 3,20 .
Indeed, controllers of a digital control system are heavily impaired by FWL effects 9 , as one may notice in Fig. 2, which illustrates the block diagram of a discrete-time feedback control system, where K denotes FWL effects. Consequently, such variations can influence a system's response and its required settling time t sr , which could be neglected due to underestimation of FWL effects 21,22 . As indicated by Cavalcante et al. 9 , FWL effects can be formulated as where R m×n Q is the discrete set of matrices m × n composed by elements of R m×n , which can be represented in the fixed-point format I, F , while I and F are the number of bits of integer and fractional parts, respectively. As the coefficients of K are subject to FWL effects 9 , a state-space representation can be written as  www.nature.com/scientificreports/ where the matrix K FWL := F WL �I;F� [K] is the controller gain considering FWL effects. The FWL effects due to round-offs and quantization have been investigated in the recent literature 4,15,23 which indicates that they might lead to imprecision and even instability. Most of the non-fragile control techniques describes FWL effects in the digital controller implementation as parametric uncertainties and adopt robust control techniques to ensure the closed-loop properties 20 . However, the FWL effects might be accurately computed if the implementation characteristics (e.g., number of fractional and integer bits of fixed-point representation) are known. This paper adopts the accurate FWL effects on fixed-point implementations of state-feedback controllers as described in 23 .
Additionally, other control issues related to FWL effects are investigated in the literature, e.g., overflows and limit cycle oscillations (LCOs) 15,24 . However, to the best of our knowledge, it is the first work to propose CEGISbased design of state-feedback controllers considering the step response performance requirements.
CounterExample-guided inductive synthesis. CEGIS is an iterative process for program synthesis that is becoming popular, where each iteration performs inductive generalization based on counterexamples provided by a verification engine. Typically, inductive generalization uses information about a limited number of inputs to make claims about all possible inputs in the form of candidate solutions 14 . Figure 3 shows the typical CEGIS' framework 14 and consists of two main stages: synthesis and verification. The former performs the generation of a candidate program, which can presumably satisfy a given property. The latter, in turn, provides a way of checking requirement satisfiability regarding the same property, i.e., if it fails or succeeds.
In the synthesis stage, a learning algorithm exists responsible for refining candidate solutions based on counterexamples provided by a verification engine. The learning algorithm proceeds by searching the space of candidate concepts for one consistent with the examples seen so far. There may be several consistent concepts, but the employed search strategy determines the chosen candidate, then presented to a verification engine and checked against a correctness specification. If the current candidate is correct, the synthesizer terminates and outputs it; otherwise, the verification engine generates a counterexample, which informs the reason for this failure. Next, the same counterexample is forwarded to the learning algorithm, which adds it to a specific group and then repeats its search. It is possible that, after a given number of iterations, the learning algorithm is unable to find a consistent candidate concept, in which case the learning step and hence the overall CEGIS procedure fail 25 .
Although the CEGIS' framework is well-defined, and all associated steps are clear and self-contained, there still exists room for improvement. For instance, in the synthesis stage, it is possible to generate candidates that present more chance to be correct, i.e., it is likely that they meet the input requirements, which may range from an auxiliary model to specific generation algorithms. In this work, we decided to formulate an optimization problem and solve it using GAs to generate candidates that meet design requirements in the form of constraints for an optimization problem. GAs perform a global search and then explore the search space using different kinds of crossover. Besides, as a controller generated by a GA already satisfies the constraints of the optimization problem (here, constraints are the same as requirements), the synthesis mechanism only needs to ensure that it behaves this way when operating under FWL effects.
The compliance with respect to the performance requirements by considering the FWL is checked in the verification step. It is possible to use formal verification approaches to check candidates, given that they are robust solutions and proved to be practical and effective 4,26 . In this paper, the verifier stage is performed based on the digital control system verification methodology presented in 9 , which is summarized in the next "Verifying non-fragile performance specification requirements" section. The synthesizer step proposes a GA-based optimization where the constraints are updated when a verifier stage indicates that the solution is invalid. A candidate controller generated by the GA is considered valid only if its quantized version K FWL succeeds in the verification step. The former step is discussed in "Non-fragile synthesis for performance requirements" section.
(3) � FWL : Figure 3. We illustrate the traditional CEGIS' block diagram 9 , where the synthesizer provides candidate solutions, while the verifier checks whether these solutions meet the specification. We implement a learning algorithm in the synthesizer, responsible for refining candidate solutions based on feedback (counterexamples) provided by the verifier.

Verifying non-fragile performance specification requirements
In this study, we use a CEGIS synthesis technique to generate a controller to satisfy performance requirements. In this CEGIS implementation, we have two main stages: synthesis and verification, the latter being tackled in this section. Specifically, we show the synthesis schemes developed for settling time and maximum overshoot in the context of digital control systems.

Maximum overshoot estimation.
A formal parameter is needed to verify the maximum overshoot in a control system using formal methods, which involves property satisfiability. Regarding this, Algorithm 1 was developed, which describes a procedure to estimate y p , i.e., the maximum peak value in the response of a system, and k p , i.e., the sample where y p is located, in order to find a formal approach to verify the maximum overshoot used in the proposed CEGIS approach. Algorithm 1 was developed in a previous work 9 , thus it will be shortly discussed here. The main parameters of Algorithm 1 are defined as follows: • ∇ k is the variation in the output signal; • y ∇ i is the amplitude of the sample where the last gradient was detected; • i is the sample index where this amplitude is located; • ξ is the number of detected peaks that are not of interest for the current analysis, i.e., false peaks smaller than the current one; • k is the current sample number iteration.
As inputs for Algorithm 1, we have state matrices A , B , C and D , controller K (if the analysis regards a closedloop system), and system input u. Indeed, input data are used for intermediate calculations, such as obtaining y(k) and y ss , with their respective formulae. The outputs of Algorithm 1 are the maximum peak ( y p ) and the peak time ( k p ).
Finally, the maximum overshoot M p is computed as follows: (4) M p = y p − y ss . www.nature.com/scientificreports/ Settling time invariant estimation. Cavalcante et al. 9 provide a methodology to compute an invariant for settling time of discrete-time systems. In the verification literature, an invariant is a logical proposition which over-approximates the set of reachable states by allowing the reduction of the verification space 27 . In this paper, we find an upper-bound for the settling-time to allow pruning the verification space up to that bound. In summary, the following function based on the eigenvalues is defined: where c is a constant that makes y(k) enter the settling time region, based on the slowest eigenvalue ¯ . Given the definition of the settling time itself and the heuristic function, the instant ( k ) a system enters its settling time region can be found with where p indicates the setting time region, in percentage (please, see "Digital dynamic systems" section). A design procedure, with Eq. (5), k p , and y p , could then obtain c , which allows modeling of the settling time region dynamics, based on the slowest eigenvalue: In a nutshell, the reasoning behind this mathematical formulation is that if the slowest eigenvalue indicates that the desired settling time is reached, i.e., k ≤ k s , it is assured that the entire system meets this requirement, given that the other eigenvalues are faster. Nonetheless, when that does not happen, it is not assured that a given system does not meet k s , given the net result of the interaction among eigenvalues, which may then lead to a direct verification regarding output samples. Finally, the most direct use of k is as an invariant during verification procedures.

Settling time and overshoot verification algorithms.
Based on the estimates of the settling timeinvariant and the maximum overshoot, verification algorithms for overshoot and settling time requirements are presented in 9 .
The overshoot verification technique 9 consists in checking if the actual percentage overshoot PO (as computed) is lower than or equal to the required percentage overshoot ( PO r ). If the latter is true, it consequently leads to a Verification SUCCESSFUL; otherwise, Verification FAILED is reported. In summary, y ss and PO r are the necessary inputs for this algorithm, which performs a simple comparison.
In order to find the overshoot percentage, based on the maximum overshoot ( M p ) shown in Fig. 1, one can use 9 which can be run after Algorithm 1.
The overshoot verification consists basically in checking if the computed percentage overshoot P.O. (Eq. 8) is lower than the required percentage overshoot ( P.O. r ), which, if true, consequently leads to a Verification SUCCESSFUL.
Regarding the settling time verification algorithm, we assume that the main algorithm has access to all parameters used by it and produces Verification SUCCESSFUL or Verification FAILED, as output. There also exists a straightforward companion algorithm (not shown here) that receives, as inputs, system specifications (state-space matrices, input samples, and a controller) and produces k r (instant where that output reaches the settling time region), as output. This algorithm is useful when y p is in the settling time region (see the last conditional block of Algorithm 2).
The proposed procedure for verifying settling time, which was developed by Cavalcante et al. 9 , is described in Algorithm 2 and consists in first checking if k , as computed with Eq. (6) (see "Settling time invariant estimation" section), is lower than the required settling time k sr , which promptly assures success. Nonetheless, if that is not the case, a system's output must then be directly checked. Indeed, the invariant approach's main advantage is based on the adopted heuristic function: no computation based on a system's model is needed, which provides high speed and simplicity.
(5) y(k) = y ss + c k , y ss ⌉, www.nature.com/scientificreports/ Notice that both Algorithms 1 and 2 can be used to verify systems with or without FWL effects. In order to guarantee the safety of the implemented controller, it is necessary to check the system FWL with the quantized controller K FWL .
For a deeper understanding of the presented verification methodologies, we refer the reader to the work developed by Cavalcante et al. 9 .

Non-fragile synthesis for performance requirements
In this section, we describe our proposed synthesis methodology based on the specification of performance requirements for digital control systems. The synthesis methodology is based on the CEGIS technique, with two stages: verification and learning (where a specific synthesizer is located), as illustrated in Fig. 3. In the learning stage, we generate a controller K to satisfy our performance requirements (settling time and/or overshoot), using GAs 16 , where we take system definitions and specifications as constraints. After generating K, a verification stage employs the verification approaches for settling time and overshoot on the system FWL described in (3) and considering the FWL effects, as explained in "Settling time and overshoot verification algorithms" section. Then, it receives the mentioned controller K and verifies if the latter meets the initial requirements. If the presented procedure fails in that stage, it goes back to the learning step and keeps repeating that loop until it is successful regarding the associated verification.
In our CEGIS methodology, GAs perform a global search and explore search spaces using different kinds of crossover, i.e., combination procedures, afterwards 28 . That feature provides a great advantage to GAs regarding finding a solution, which is not necessarily the global optimal, for a given optimization problem and is very interesting regarding digital controllers due to the need for individual coefficient tuning. Moreover, as a controller generated by GAs already satisfies the constraints of the underlying optimization problem, in the CEGIS-based scheme proposed here, a synthesis mechanism only needs to ensure that it still meets the input requirements when operating under FWL effects.
In Fig. 4, we illustrate the proposed synthesis methodology, in a general form, where system definitions represent the overall system (state-space matrices and input). Moreover, the parameter requirements contains the requirements to be synthesized (settling time and/or overshoot), total_attempts is the total number of attempts to synthesize a controller, which is empirically defined by a user, attempts represents the number of attempts without changing any synthesis parameter (when a change occurs, a parameter is then reset and a new cycle is started, which also results in an increment to total_attempts), GA Engine is the block that performs the generation of a candidate controller through genetic algorithms, verify() is the verification engine ("Settling time and overshoot verification algorithms" section), which is basically the DSVerifier tool where we implemented our verification methodologies, MAXATT is the maximum number of attempts to synthesize a controller (as informed by a user), MAXINNERATT represents the maximum number of attempts without changing any GA parameter (MAXINNERATT is reset to zero, when a GA parameter is changed, while MAXATT continues to increment), popsize is the population size of the genetic algorithm, which was set to 100 chromosomes, as suggested by Roeva et al. 29 , and STEP is the step to increment the GA's population, which, in the present work, was empirically obtained as 10. Besides, the proposed verification engine relies on what we are synthesizing (settling time and/or overshoot) and, as it is a generic framework, we could have also implemented different verification procedures and fed their results to the GA module.
In Fig. 4, we first define the system to be synthesized, which comprehends a plant, i.e., its state space matrices ( A , B , C and D ), a system's input (we have used only the unit step), and the requirements a specified system should meet (settling time and/or overshoot). Next, we can step into GA Engine, where an optimization problem www.nature.com/scientificreports/ is implemented, based on a given system and considering the informed requirements as constraints (see details in "Generating a candidate controller K" section). Finally, as an output of GA Engine, a candidate controller K, which possibly makes a system satisfies the input requirements, is generated. Then, the verification process itself (according to the chosen property to synthesize) can now be performed, considering system definitions, the generated controller candidate, and the requirements to be verified (see "Verifying non-fragile performance specification requirements" section).
If the verification succeeds, then the associated synthesis procedure is successful and the entire process is terminated; otherwise, the total number of attempts (total_attempts) is evaluated to check if it exceeds the maximum number of attempts (MAXATT). If that is the case, the synthesis process fails and is terminated; otherwise, the number of attempts (attempts) is evaluated, without changing any GA parameter (e.g., population size), to check if it exceeds the maximum number defined for that (MAXINNERATT ). If the latter is not valid, the population size of the GA is also incremented by a fixed step (STEP). Finally, GA Engine runs again, the entire process is repeated.
Generating a candidate controller K. In our CEGIS-based synthesis methodology, we use genetic algorithms for generating a candidate controller K, in order to satisfy the desired requirements (overshoot and settling time). Our methodology uses two objective functions to solve three separated problems: synthesize for overshoot, settling time, or both. The objective functions are www.nature.com/scientificreports/ where K is the controller matrix and k is given by Eq. (6). We have chosen the objective function f 1 because of its simplicity and also to avoid a high noise sensitivity, which may happen as a result of significant gains (K). Therefore, minimizing f 1 implies minimizes the controller induced norm, which may help to avoid overshooting. Besides, f 2 is based on settling time calculation ( k ), which is easy to specify as an optimization problem. It is worth noticing that it is not mandatory to specify an objective function related to a specific constraint, although some intrinsic advantages may come from that. Indeed, we must only specify a function, while the associated solver (in the present case, a genetic algorithm) will try to find a solution, considering the input constraints. Other objective functions have indeed been tested, such as norms H 2 and H ∞ , but they have not provided good results due to the lack of relationship with input requirements and global outcome. Moreover, objective functions related to overshoot were not successful either.
Optimization problem to meet overshoot and settling time. In order to generate a controller K, using a genetic algorithm that satisfies both overshoot and settling time requirements, we formulate the following optimization problem: The constraints above are precisely what we look for, as they directly represent the desired requirements. The last constraint ( ¯ ≤ 1 ) is crucial, given that an output system must be stable; indeed, without stability, performance analysis can not be executed. In the case a problem with different constraints is needed, i.e., other requirements, the given problem is specified in the same way, but an applicable rule that satisfies the underlying requirements must then be formulated. For instance, if a critically damped system is desired, the constraint ζ = 1 2 could be added.
In the present case, we want no minimize the multi-objective functions ( f 1 and f 2 ) constrained to k ≤ k sr , PO ≤ PO r , and ¯ ≤ 1 . The first constraint guarantees that the system meets the settling time requirement, since k sr ≥k (cf. Algorithm 2). The second one, in turns, assures the required maximum percentage overshoot. Finally, the third one ensures that the controller K will keep a system stable, with ¯ being the largest absolute eigenvalue that is also smaller than 1, which provides stability.
It is worth to mention that the candidate controller generated by solving the problem (11) does not consider the FWL effects. However, the verification step of the proposed CEGIS algorithm considers the FWL effects by computing K FWL := F WL �I;F� [K] . Therefore, the verification step is based on Algorithms 1 and 2 for the system (3), and the synthesized controller K is considered safe only if the performance requirements hold for K FWL .
Architecture of DSVerifier. The synthesis methodology presented above was implemented within the DSVerifier tool to experiment with the techniques developed in the present work in the context of several benchmarks. Moreover, such a development would enhance DSVerifier even further and make it a comprehensive tool for digital systems, but now regarding performance requirements and robustness aspects such as overflow, limit-cycle oscillation, and finite word-length 17 . The architecture illustrated in Fig. 4 was added to DSVerifier.
The synthesis part was implemented in C++, where all the necessary matrix operations were performed with the help of library Eigen 30 , while the GA module was implemented with the support of library Galgo 31 , also available for C++, which was used as an optimization tool for generating candidate controllers. The settling time and overshoot verification algorithms shown in "Verifying non-fragile performance specification requirements" section were already implemented within DSVerifier, due to a previous work 9 .

Experimental evaluation
Experimental objectives. In order to validate the methodology proposed in this work effectively, the related features were developed and implemented in C++ as part of DSVerifier. With their addition, we were able to submit our methodology to a set of benchmarks created exclusively for this work so that two original contributions are promptly identified. First, we provide a suitable test suite for future work. Second, we present results with tests targeting controllers synthesized for meeting performance requirements.
Apart from implicit contributions, our experiments have the following goals: EG1 (Suitability) Demonstrate the suitability of the proposed methodology regarding digital-controller synthesis; EG2 (Performance) Evaluate the effectiveness and the advantages of the proposed methodology when comparing it with other existing approaches.
Experimental setup. The experiments presented here were carried out on four similar computers with slightly different configurations. That was done to speed up result generation, since the synthesis experiments executed here demand considerable time for their completion, as they consume many resources. If they were all executed on the same machine, the associated results would take very long to complete in parallel. The chosen machines have the following base configuration: a processor Intel (R) Core (TM) i7-4500 CPU @ 1.8 GHz, with Description of the benchmarks. The benchmarks with the control systems used to evaluate the proposed approach are described below. In particular, they are available at Appendix with the information about statespace matrices A , B and C , required settling time t sr , and required percentage overshoot PO r . We have assumed that all benchmarks present a state-space matrix D = 0. Those systems were chosen based on the possibility of providing different scenarios, in relation to the eigenvalues of A . All experiments were conducted using the following configuration: ts = 0.5, p = 5, bounds_l = -0.5, bounds_u = 0.5, popsize = 100, and nbgen = 100. The first four parameters match what is used in practice, while the last two were empirically defined by performing extensive baseline tests. The performance of the proposed methodology, as implemented in DSVerifier, was then obtained with those same values, with the goal of successfully synthesizing controllers. In addition, there exist systems of 2nd (benchmarks 1, 5, 8, 12 and 15), 3rd (benchmarks 2, 9 and 13), 4th (benchmarks 3, 6, 7, 10 and 14), and 5th (benchmarks 4 and 11) order.
The chosen benchmarks present different eigenvalue configurations. Considering σ A the set of eigenvalues of matrix A , there exist systems with σ A = {all n are the same, depending on a system's order | ∈ R }, σ A = {all n are different | n ∈ R and/or n ∈ C }, and σ A = { ∀ n | ∈ R }, in our benchmark set. With this diversity, it is possible to cover scenarios that present different behaviors, such as overdamped, underdamped, and critically damped systems, in addition to second, third, fourth and fifth-order systems, with the goal of making a thorough analysis. Moreover, benchmark 15 is the model of a DC motor.
The chosen benchmarks were tested with 3 different FWL configurations (8, 16 and 32 bits), in the following scenarios: considering only settling time, only overshoot, and both properties simultaneously (settling time and overshoot). Consequently, that amounts to 45 tests per property scenario and 135 in total.
As a matter of avoiding corner cases and complex scenarios, which may present little practical use, we have empirically fixed the test time-out to 15 days. Consequently, if an individual experiment reaches a running time of 15 days, it is aborted. Experimental results. The Table 1 summarizes the experimental results for our benchmarks. The column ID identifies each benchmark, Order indicates the number of continuous variables, R represents the result of the associated synthesis (successful or failed), T is the number of attempts to perform a synthesis procedure, and, finally, 4, 4 , 8, 8 and 16, 16 represent the considered FWL format, where they represent a total of 8, 16, and 32 bits, respectively. When an experiment fails, Table 1 indicates MA or TO, which means the maximum number of attempts has been reached or there was time-out during a specific execution, respectively.
On the one hand, the synthesis process performed by DSVerifier, which applies the methodology proposed in this work, presented, in total, 101 cases of successful synthesis, with 39 being experiments considering only settling time, where there were 13 success cases for each of the considered FWL configurations (8,16, and 32 bits). Additionally, 32 experiments considering only overshoot were successful, where 10 employed 8 bits, 11 Table 1. We show the experimental results considering settling time and overshoot specifications. ID identifies each benchmark, Order indicates the number of continuous variables, R represents the result of the associated synthesis (successful or failed), T is the number of attempts to perform a synthesis procedure, MA means the maximum number of attempts has been reached, TO indicates that there was time-out during a specific execution, S means synthesis successful, F means synthesis failed.  Indeed, there are two causes for those results, which we noticed during experiments and led to failures in synthesis processes: nature of closed-loop system's eigenvalues and open-loop instability. Regarding long synthesizing times curbed by the imposed time-out value of 15 days, one apparent reason is the nature of a system's eigenvalues, together with the number of bits used for the chosen FWL format. In summary, there exists no way to predict how long a synthesis process will take because each case presents its particularities.

R T R T R T R T R T R T R T R T R T
As illustrated in Fig. 5, experiments related to only settling time presented a success rate of 87%, when dealing with the 3 different FWL formats considered here ( 4, 4 , 8, 8 , and 16, 16 ). Regarding experiments tackling only overshoot, success rates of 73%, for formats 8, 8 and 16, 16 , and 67%, for format 4, 4 were achieved. Finally, concerning experiments considering both requirements, a success rate of 67% was obtained for all the analyzed FWL formats. Indeed, one may notice that combined requirements present a more complex scenario for the proposed synthesis scheme, with overshoot being more difficult than settling time. Moreover, the rates of successful attempts are mostly dictated by a specific requirement arrangement. Indeed, a system's overshoot can be tightly controlled by tuning a controller's gain 32 ; however, it is still heavily influenced by a system's eigenvalues and their relation with other parameters 33 , such as sampling time. Settling time figures, in turn, are mostly dominated by the largest eigenvalue 9 in a system. Consequently, it becomes more challenging to control overshoot responses. The results generated by DSVerifier, i.e. the controller, were validated after each experiment, using Matlab, where we have simulated specific systems (i.e., state-space matrices and input), together with the synthesized controllers. Then, the obtained results were manually checked with the plot of the resulting step response to assure the desired settling time and/or overshoot values.
In experiments targeting only settling time, when applying FWL format 4, 4 , the synthesis was successfully carried out with one attempt, for benchmarks 1-9, 11, 14, and 15, and three attempts, for benchmark 10. Indeed, this is an interesting behavior for such experiments, given that, for instance, benchmark 11, which is a 5th-order system, needed only one attempt, as benchmark 1, which is a 2nd-order system. In summary, there is no clear relationship between FWL format, the nature of systems' eigenvalues, and open-loop stability.
With FWL format 8, 8 , the successful cases carried out one, in case of benchmarks 1, 2, 4, 5, 7-9, 11, 14, and 15, two, in case of benchmarks 3 and 10, and five attempts, in case of benchmark 6. Again, there seems to be no clear relation between FWL format and the nature of a system' eigenvalues, which makes some experiments need more attempts than others. However, there is a simple explanation for the behavior of benchmark 6, which will be clarified for the next format.  www.nature.com/scientificreports/ Experiments with FWL format 16, 16 presented, in general, a more significant number of attempts than the other formats, which is indeed intuitively expected, where they needed one to forty-one attempts to successfully synthesize benchmarks 1-11, 14, and 15. Most of them needed more than one attempt to be successfully synthesized. A compelling case intrigued us: benchmark 6 needed 41 attempts, and the reason for that is not related to the nature of its eigenvalues (complex numbers) its open-loop instability. The combination of a more significant number of bits and eigenvalues profile created, for this specific benchmark, a state space system which took longer to be explored by GA Engine, as also happened with format 8, 8 . Indeed, the latter required an intermediate number of attempts, which clearly influences the chosen FWL format.
In order to provide a more transparent evaluation regarding synthesis attempts, the weighted average was used as a merit figure, which can be computed as where ATT AVG is the average number of attempts, G n is the group n of benchmarks with the same number of attempts, and ATT n is the number of attempts for this same group. Format 4, 4 took 1.15, format 8, 8 took 1.46, and, finally, format 16, 16 took 5.69 attempts, in average. Consequently, with settling time, larger FWL formats require more attempts.
This same trend is also noticed by using an area chart to relate the number of attempts in each experiment and chosen FWL format. The ordinate axis shows the number of attempts for synthesizing a given controller that meets specific requirements. At the same time, the ID of the experiments is described on the abscissa axis, as illustrated in Fig. 6.
The gaps in Fig. 6 refer to the developed tool not being able to synthesize benchmarks successfully due to reaching the established maximum limit of attempts. In those cases, i.e., benchmarks 12 and 13, that happened due to poles that lead to system instability, in open-loop.
Considering only overshoot, experiments with format 4, 4 took between one and nineteen attempts to successfully execute synthesis procedures regarding benchmarks 1, 3-6, 8-11, and 15. Moreover, the other formats ( 8, 8 and 16, 16 ) took only one attempt to be successfully synthesized, with benchmarks 1-6, 8-11, and 15, mainly because most of them have real eigenvalues, which led to outputs without a large ripple.
Regarding overshoot experiments, ATT AVG figures of 3.8, 1.0, and 1.0 attempts were obtained for formats 4, 4 , 8, 8 , and 16, 16 , respectively. Although this reverse behavior may initially seem strange, it is indeed expected: coarser quantization strategies may impair algorithm convergence. As already mentioned, the overshoot is heavily influenced by a system's eigenvalues and their relation with other parameters and, in the present case, a coarser representation led to situations where the exact coefficient values (their combination) were not found, for expected behavior, due to larger gaps between consecutive quantized numbers, which ultimately resulted in a higher number of attempts.
The area chart in Fig. 7 shows the opposite behavior noticed earlier. Indeed, benchmarks 1, 5, and 8, with format 4, 4 , presented a more significant number of attempts for successful synthesis procedures, while benchmark 8, with format 8, 8 , required as many attempts as those for format 4, 4 . One could also notice that benchmark 5 demanded many attempts (19) during synthesis when considering format 4, 4 ), which is related to its complex eigenvalues. Unlike experiments considering settling time, benchmark 5 had a more significant (12) ATT AVG = N n=0 G n × ATT n N n=0 G n , Figure 6. We illustrate the area chart for our settling time experiments under different FWL formats ( 4, 4 , 8, 8 , and 16, 16 ) and the number of attempts to synthesis the digital controllers from 1 to 15. As we can observe, the FWL format directly influences the number of attempts to synthesize these digital controllers considering the settling time specification. www.nature.com/scientificreports/ number of attempts for a smaller amount of bits. We did not find any plausible explanation for that behavior during the experiments. When experiments considering both requirements (settling time and overshoot) were performed, in FWL format 4, 4 , they took between one and twenty-two attempts, with benchmarks 1-5, 8-11, and 15. It is interesting to mention that benchmarks 9 to 11 have 3 eigenvalues in common ( −0.2 , −0.3 and −0.7 ), and the reason for more attempts to synthesize those lies in the combination of those eigenvalues, when dealt with by GA Engine.
When format 8, 8 was used, one or two attempts were necessary to successfully synthesize benchmarks 1-5, 8-11, and 15. Specifically, only benchmarks 3 and 10, both of 4th order, needed more than one attempt to be successfully synthesized.
In format 16, 16 , experiments took from one to seven attempts, with benchmarks 1-5, 8-11, and 15. The majority of those experiments needed more than one attempt to be successfully synthesized.
In   ( 4, 4 , 8, 8 , and 16, 16 ) and the number of attempts to synthesis the digital controllers from 1 to 15. As we can observe, the FWL format directly influences the number of attempts to synthesize these digital controllers considering the overshoot specification.  ( 4, 4 , 8, 8 , and 16, 16 ) and the number of attempts to synthesis the digital controllers from 1 to 15. As we can observe, the FWL format directly influences the number of attempts to synthesize these digital controllers, considering settling time and overshoot as specification. www.nature.com/scientificreports/ On the one hand, the area chart in Fig. 8 shows that benchmarks from 1 to 5 behave similarly to what can be noticed in Fig. 6, where more restricted FWL formats require fewer attempts. The reason behind this is that a coefficient combination for satisfying the overshoot requirement is quickly found, and, this way, settling time ends up being the dominant goal. On the other hand, benchmarks from 9 to 11 behave similarly to what is found in Fig. 7. Again, the smaller the number of bits in an FWL, the more attempts are needed to synthesize a controller, whose explanation lies on a dominant overshoot requirement. As a general consideration, an experiment behavior depends on the dominant requirement and possible combinations for achieving the desired figure, which, if known, might lead to a previous parameter tuning (e.g., FWL format and settling time/overshoot value). That indeed paves the way for a new study involving the creation of specification files. Nonetheless, one may notice that there are more unsuccessful procedures related to the synthesis of combined requirements.
Among groups of experiments organized by requirement configuration (settling time, overshoot, and both), we found out that overshoot ones, in average, took 1.93 attempts to synthesize a controller, followed by experiments considering both parameters, with 2.7, and settling time, with 2.77. Of course, the number of bits for an FWL format also impacts our tool in terms of attempts, as already shown.
One may notice that the synthesis tool failed to synthesize a controller that meets the requirements for benchmarks 12 and 13, whether considering only settling time, overshoot, or both. Such experiments failed due to reaching the established maximum-attempts limit, i.e., MAXATT = 200). A direct cause is the presence of unstable open-loop systems. In that case, the proposed methodology cannot find a controller that meets stability and performance requirements together. Indeed, GA engine (see Fig. 4) is unable to generate candidates that meet such requirements at the optimization problem level and still ensure stability.
Regarding cases where the proposed methodology with the chosen parameters and requirements was not able to synthesize a controller because the chosen time-out or the maximum attempts was reached, we have tried to change some parameters for them, such as the MAXATT and the time-out itself (in some cases, it was fixed to 30 days). Nonetheless, that was still not enough.
In addition, our tool failed in synthesizing benchmarks 2, 6, 7, and 14, for some combinations of format and requirements, due to exceeding the execution time limit. This fact can be related to the nature of systems' eigenvalues, which are specifically complex eigenvalues. In that sense, other GAs with different strategies could also be employed, which is regarded as an extension to the present study.
In our experiment, we noticed that our methodology is more effective when synthesizing controllers for meeting only one requirement: settling time (39 successful and 6 failed) or overshoot (12 successful and 13 failed). Therefore, we still need to improve our methodology, regarding such a context, by using some effective multi-objective optimization tools.
Threats to validity. We have shown a favorable assessment of our method over a set of digital control systems. Nonetheless, those benchmarks are limited within this paper's scope, which means the proposed method's performance should be further assessed on a more extensive set of real-world systems. Besides, we have a few parameters to be configured, such as the maximum number of attempts, which may lead to unsuccessful results, e.g., if the chosen maximum number of attempts is not sufficient for synthesizing a controller. The same happens to the parameters related to population size and the number of generations for the GA module, given that they can directly influence results. Nonetheless, in this paper, we indicate values for those parameters that we found suitable for the current experiments.
Moreover, we did not take into account the execution time needed to solve a specific problem. Instead, we have concentrated our effort on finding a correct controller able to make a system that meets a set of requirements. Consequently, our methodology can be time-consuming, depending on the system to be synthesized and the chosen parameters. As a consequence, one may argue that a consequent and necessary study regards parameter configuration based on target requirements and operation scenario, which may lead to an algorithm for generating SpecsFile.ss.
Experiments with power converter models. We have chosen two power converter system examples: buck 34 and boost 35 converters. They demonstrate our formal synthesis methodology in physically motivating examples. In particular, those converters regulate the voltage and interconnect electrical systems. They are vital elements in the green economy due to their intensive application to low/zero carbon energy generation systems and consumers [36][37][38] .
Buck converter system. Buck converter (step-down converter) 34 is a DC/DC converter that decreases the voltage (while increasing the current) from its input (power supply) to its output (load). Buck converters are used, for example, to reduce the voltage of laptop batteries (12-24V), providing the few volts necessary for modern processors to work such as Apple M2's or Intel's (x86) 39 . Figure 9 depicts the block diagram of a typical buck converter control loop.
To experiment with this system against our methodology, we present the state-space model for a Buck converter extracted from Iordanov & Halton 40 . The state-space model is described as follows.
(13) � buck : www.nature.com/scientificreports/ where R, L, C, R L , R C , V g , T s and t d are, respectively, the load resistance, inductance, capacitance, line resistance, DC-link resistance, the power supply voltage, sampling time, and the delay time induced by the sampling process. In this paper, the values of those parameters are borrowed from Iordanov & Halton 40 and are provided in Table 2 for convenience.
Boost converter system. A boost converter 35 is used to "step-up" an input voltage to some higher level required by a load. This unique capability is achieved by storing energy in an inductor and releasing it to the load at a higher voltage. This capability highlights some of the more common pitfalls when using boost regulators. These include maximum achievable output current and voltage, short circuit behavior, and fundamental layout issues. We present a discrete state-space model for a Boost converter, which was directly extracted from Alkrunz et al. 41 .
The state-space model is described as follows.
All these values in the equation were taken from the work developed by Alkrunz et al. 41 .
Results. We conducted these experiments using our formal synthesis methodology implemented on the DSVerifier tool 17,42 to synthesize a buck and a boost converter systems. In addition, we considered a required settling time and/or overshoot for such models (c.f. Eqs. 13,14). The state-feedback controllers are synthesized from the buck and boost converters models (cf. "Buck converter system" and "Boost converter system" sections). Here, we consider three-step response requirements: only maximum admissible settling time, maximum admissible overshooting, and maximum settling time and overshoot. Moreover, we consider the FWL effects in 3 different formats, namely 4, 4 , 8, 8 , and 16, 16 .  www.nature.com/scientificreports/ Table 3 summarizes the synthesis results, considering only the settling time property. We can see that our approach was capable of synthesizing controllers for either Buck and Boost converter systems and every FWL format ( 4, 4 , 8, 8 , and 16, 16 ). However, as we can see, with the lowest number of bits in the FWL format, we took longer to synthesize, especially the Buck converter, due to the variable's range and the number of constraints to be checked by our approach. So, as we increase the FWL format, we also increase the number of candidate solutions that our synthesizer stage can produce, and our verifier stage can check to meet the specification. Table 4 shows the results considering only the overshoot property. We can see that our methodology could synthesize digital controllers in all cases. However, for Buck converter experiments, we took longer to synthesize a controller to satisfy overshoot and FWL effects aspects due to the extensive state exploration produced by the underlying model and the property under verification.
It is worth mentioning that both buck and boost converters exhibit fast dynamics with poor damping. Thus, synthesizing state-feedback controllers to guarantee some settling time property, as reported in Table 3, is not a challenging task. Furthermore, although the damping is poor, meeting only overshoot requirements is also easily achieved by sacrificing the response speed since those converters are open-loop stable systems. However, meeting tight settling time and overshooting requirements simultaneously become challenging. Table 5 shows the results considering both settling time and the overshoot properties. This experiment helped evaluate our proposed synthesizer because in the Buck converter, considering both properties and FWL effects, our tool tried to synthesize a digital controller. However, only after the 29th attempt could it synthesize a satisfiable controller. It happens because our synthesizer stage struggles to produce candidate solutions using the GA algorithm, considering the underlying state-space model that can meet the given specification. In this respect, the verifier stage must also check more challenging verification conditions, considering settling time and overshoot properties.   www.nature.com/scientificreports/ Figure 10 shows the response output for the buck converter system illustrated in "Buck converter system" section. This response refers to the synthesized controller considering both settling time and overshoot specification and FWL effects of the form 4, 4 in (a), 8, 8 in (b), and 16, 16 in (c). As we can see, DSVerifier, using the proposed methodology, could successfully synthesize a controller in all cases ( 4, 4 , 8, 8 , and 16, 16 ). In our experiment, we required a settling time of 1 ms and an overshoot of 45% , and all three synthesized controllers met the requirements under FWL effects. In the 3 cases, for the required settling time, the response is already in the settling time region, i.e., it meets the requirement. In addition, the overshoot in all 3 cases is under the maximum required in these experiments. If we consider Fig. 4, we have a main loop where the learning module (genetic algorithms) generates a candidate controller to test against our verification engine to see if it meets the requirements. In the case of this experiment, it required to loop 29 times for FWL format 4, 4 , and one time for the other two formats to find a controller that meets all the requirements, including the FWL effects, as we can see in Table 5 (Column Attempts). Figure 11 shows the response of the Boost converter system in "Boost converter system" section, when the synthesized controller is applied. In all 3 cases- Fig. 11a-c, the required settling time ( k sr = t sr /T s ) is already in the settling time region (as the response reached the settling time region, it did not leave it anymore), which means that the system meets this specific requirement. Adding to that, we also see that the overshoot in the www.nature.com/scientificreports/ response is under the required one, which leads to meeting this requirement as well (calculated overshoot less than 1% , much smaller than the required one-45% ). For all FWL formats evaluated in this work, our tool, according to Fig. 4, only needed one attempt to generate a controller that met all the requirements. One vital observation we noticed in the results is related to the experiment with the Buck converter, considering both settling time and overshoot and the FWL effects in format 4, 4 . In that experiment, DSVerifier took total_attempts= 29 to synthesize a controller that met the requirements, representing 21 days to finish the synthesis process. The reason why that happened is intriguing, given that for the other formats of FWL, the methodology did not have a problem synthesizing a controller (about one day and one attempt). It can be explained by the loss of performance due to the quantization. Indeed, it is easier to meet the step response requirements with more bits since it produces a more extensive set of candidate controllers. Thus, the synthesizer takes more time to produce a valid controller with the lowest number of bits in the FWL format because of consecutive failed attempts. www.nature.com/scientificreports/

Related work
The CEGIS synthesis technique can be regarded as the problem of computing correct-by-construction programs from a set of high-level specifications. In recent years, methods to solve this kind of problem have been used in different applications. For instance, Buchwald, Fried, and Hackin 43 presented a fully automatic approach to create probably correct rule libraries, from formal specifications of an instruction set architecture and a compiler IR, using a hybrid approach that combines enumerative techniques with template-based CEGIS. Abate et al. 23,44 presented an approach to synthesizing safe digital feedback controllers for physical plants represented as linear time-invariant models. That approach uses the CEGIS technique, which has two phases. The first one synthesizes a static feedback controller that stabilizes a given system, but may not be safe for all initial conditions. Safety is then verified via BMC or abstract acceleration: if the verification step fails, a counterexample is provided to the synthesis engine and the process iterates until a safe controller is obtained.
Bloem et al. 45 proposed an approach for the automatic synthesis of Byzantine-tolerant self-stabilizing systems in the form of distributed labeled transition systems. In this work, the synthesis method takes, as input, a description of the network of processes and a specification in linear-time temporal logic and a bound on the number of Byzantine processes in the same network. It encodes the existence of a solution into a problem in satisfiability modulo theories (SMT) and then tries to synthesize correct implementations for all processes if they do exist.
Lv, Zhang, and Zhang 46 presented a robust stabilization algorithm based on a periodic observer for linear discrete-time periodic (LDP) systems. In their paper, the problem of state observer design is transformed into the solution to the corresponding matrix equation, and an iterative algorithm is given based on the conjugategradient (CG) algorithm. Initially, they consider the state observer design problem for linear discrete-time periodic systems without disturbances and give the expected algorithm. In that way, they consider the case where uncertain disturbances existed in a system's parameters and provided an algorithm considering minimum norm and robustness.
Farahani et al. 47 automatically synthesize reactive controllers for cyber-physical systems subject to signal temporal logic (STL) specifications. They explored three different methods for solving the required worst-case model predictive control (MPC) problem: a multi-parametric mixed-integer linear programming (MILP) solution, a Monte Carlo approach, and a dual optimization scheme. In addition, the main goal of this work is to obtain a controller that satisfies desired properties despite a potentially adversarial environment: the controller must therefore be robust to uncertain exogenous actions.
Abate et al. 14 presented an approach to program synthesis that combined the strengths of a counterexampleguided inductive synthesizer with those of a theory solver. It is focused on one particular challenge for program synthesizers: the generation of programs that require non-trivial constants. Unfortunately, that work does not focus on the digital control system. Consequently, it does not consider FWL effects, showing the lack of research that provides the analysis that our work targets.
Eriksen et al. 48 presented an on-line controller technique for a signalized intersection. The controller reads the current data from the radar sensors and uses it to learn a near-optimal controller at each control step. This strategy uses machine learning techniques to synthesize near-optimal traffic light controllers. The authors have shown that properly using more detailed information from radars can dramatically decrease the waiting times and queue lengths. This work presented to be very good for solving this kind of problem. However, it does not seem good enough for the application we are applying in the present work, given that it does not consider either performance parameters in the controller or FWL effects.
The presented related work tackles different system synthesis applications, while some are restricted to safe and stable controllers. Nonetheless, in control systems, performance requirements are of paramount importance in the design phase of controllers, and, sometimes, designers do need that a system response meets a particular settling time and/or overshoot. The main difference between those studies and the one presented here is that the latter tackles performance requirements for digital control systems together with FWL effects. Indeed, FWL effects impair the behavior of a system and can lead to critical mistakes, such as those caused by disregarding the chosen hardware for a given final implementation. In that sense, our methodology provides a correct-byconstruction controller that already takes into account hardware issues (e.g., FWL effects). In addition, the fact that we use GAs, which are capable of good convergence 49 , means there is potential for finding a solution for different types of systems, given their optimization strategy.

Conclusion
This work assumes the main goal: the development of a correct-by-design methodology suitable to the synthesis of digital controllers that meet performance requirements of control systems, i.e., settling time and overshoot, concerning the step response and already considering FWL effects.
To this end, the development of synthesis and verification methodologies was supported by some algorithms shown in this work, which helped on the formal verification process of performance requirements, considering the FWL effects. For the synthesis, such algorithms are used in the verification process, one of the CEGISmethodology stages, as another module of this synthesis scheme. Specifically, a genetic algorithm was used to generate controller candidates.
As shown in "Experimental evaluation" section, the synthesis methodology implemented in the DSVerifier tool was able to synthesize digital controllers in a variety of control-system benchmarks specially created for the present work, which is also a contribution, i.e., a test database. The CEGIS technique was used as a synthesizing method in an iterative way, where, at each iteration, a candidate controller is generated with the aid of a genetic algorithm.
The experimental evaluations carried out in this work aim to show the application of the proposed synthesis methodology to digital controllers that should meet the requirements of settling time, overshoot, or both, www.nature.com/scientificreports/ simultaneously, already considering the FWL effects. The methodology developed in this work, implemented in C++, as a new functionality of DSVerifier, synthesized most of the benchmarks used here. Further work should include the support to parametric uncertainties by using non-deterministic verification. In addition, the synthesis engine may benefit from using techniques ranging from machine learning to more robust formulations for generating candidates in the synthesis scheme. Finally, it is also possible to extend our methodology to MIMO systems.